[Snort-users] Pulledpork and proprocessor rules

Dave Corsello snort-users at ...15598...
Fri Jan 24 10:37:14 EST 2014


Duh.  Thanks.  I also got it to work using pcre:REPUTATION.

On 1/24/2014 10:00 AM, Ward Sladek wrote:
> Add "136:1" and "136:2" to enablesid.conf instead of 1:136 and 2:136.
>
>
>
> > Date: Thu, 23 Jan 2014 21:43:50 -0500
> > From: snort-users at ...15598...
> > To: snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] Pulledpork and proprocessor rules
> >
> > Hi Ed,
> >
> > Thanks for your reply. Maybe I should be more specific in what I want
> > to do. I currently have rules enabled by policy. In addition, I want
> > to turn on just the two reputation preprocessor rules, 1:136 and 2:136.
> > I don't see a way to accomplish that with the categories that you
> > provided. What am I missing?
> >
> > --Dave
> >
> > On 1/23/2014 3:47 PM, SnortFan wrote:
> > > Here is the list as best as I can tell from what's in the snort
> rules file. When I place them into the enablesid.conf file and pull I
> get the mother load of rules. I don't recommend turning them all on.
> > >
> > > app-detect
> > > blacklist
> > > browser-chrome
> > > browser-firefox
> > > browser-ie
> > > browser-other
> > > browser-plugins
> > > browser-webkit
> > > content-replace
> > > decoder
> > > dos
> > > exploit-kit
> > > file-executable
> > > file-flash
> > > file-identify
> > > file-image
> > > file-java
> > > file-multimedia
> > > file-office
> > > file-other
> > > file-pdf
> > > indicator-compromise
> > > indicator-obfuscation
> > > indicator-scan
> > > indicator-shellcode
> > > malware-backdoor
> > > malware-cnc
> > > malware-other
> > > malware-tools
> > > netbios
> > > os-linux
> > > os-mobile
> > > os-other
> > > os-solaris
> > > os-windows
> > > policy-multimedia
> > > policy-other
> > > policy-social
> > > policy-spam
> > > preprocessor
> > > protocol-dns
> > > protocol-finger
> > > protocol-ftp
> > > protocol-icmp
> > > protocol-imap
> > > protocol-nntp
> > > protocol-pop
> > > protocol-rpc
> > > protocol-scada
> > > protocol-services
> > > protocol-snmp
> > > protocol-telnet
> > > protocol-tftp
> > > protocol-voip
> > > pua-adware
> > > pua-other
> > > pua-p2p
> > > pua-toolbars
> > > server-apache
> > > server-iis
> > > server-mail
> > > server-mssql
> > > server-mysql
> > > server-oracle
> > > server-other
> > > server-samba
> > > server-webapp
> > > sql
> > > x11
> > >
> > > Sent from a mobile device.
> > >
> > >> On Jan 23, 2014, at 8:44 AM, SnortFan <SnortFan at ...131...> wrote:
> > >>
> > >> Hi Dave,
> > >> It looks like it pulls them down and places them in the
> snort.rule file. I don't see where it replaces the gen-msg.map file
> but if you search in the snort.rules file for one of the gid's you
> should see them.
> > >>
> > >> Cheers,
> > >> Ed
> > >>
> > >> Sent from a mobile device.
> > >>
> > >>> On Jan 23, 2014, at 7:43 AM, Dave Corsello
> <snort-users at ...15598...> wrote:
> > >>>
> > >>> I thought this would be a pretty basic question, but I haven't
> been able
> > >>> to locate an answer yet. How do you enable proproc rules in
> > >>> pulledpork? I tried adding "1:136,2:136" to enablesid.conf, but it
> > >>> didn't work.
> > >>>
> > >>>
> ------------------------------------------------------------------------------
> > >>> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> > >>> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> > >>> Critical Workloads, Development Environments & Everything In
> Between.
> > >>> Get a Quote or Start a Free Trial Today.
> > >>>
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> > >>> _______________________________________________
> > >>> Snort-users mailing list
> > >>> Snort-users at lists.sourceforge.net
> > >>> Go to this URL to change user options or unsubscribe:
> > >>> https://lists.sourceforge.net/lists/listinfo/snort-users
> > >>> Snort-users list archive:
> > >>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >>>
> > >>> Please visit http://blog.snort.org to stay current on all the
> latest Snort news!
> > >>
> ------------------------------------------------------------------------------
> > >> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> > >> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> > >> Critical Workloads, Development Environments & Everything In Between.
> > >> Get a Quote or Start a Free Trial Today.
> > >>
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> > >> _______________________________________________
> > >> Snort-users mailing list
> > >> Snort-users at lists.sourceforge.net
> > >> Go to this URL to change user options or unsubscribe:
> > >> https://lists.sourceforge.net/lists/listinfo/snort-users
> > >> Snort-users list archive:
> > >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >>
> > >> Please visit http://blog.snort.org to stay current on all the
> latest Snort news!
> >
> >
> >
> ------------------------------------------------------------------------------
> > CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> > Learn Why More Businesses Are Choosing CenturyLink Cloud For
> > Critical Workloads, Development Environments & Everything In Between.
> > Get a Quote or Start a Free Trial Today.
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140124/d3330c39/attachment.html>


More information about the Snort-users mailing list